Image of the entrance to the United States Supreme Court building.

Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?

Image Credit: MarkThomas from Pixabay.

[Originally published as a Feature Article: Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts?, by Amira Bucklin and Lily Li, in Orange County Lawyer Magazine, May 2021, Vol. 63 No.5, page 40.]

by Amira Bucklin and Lily Li

In 2020, when lockdown and shelter-at-home orders were implemented, the world moved online. Team meetings, conference calls, even court hearings entered the cloud. More than ever, consumers used online shopping instead of strolling through malls, and online learning platforms instead of classrooms. “Zoom” became a way to meet up with friends over a glass of wine, or conduct job interviews in a blouse, suit jacket, and yoga pants.

This has had vast consequences for personal privacy and cybersecurity. While most consumers might recognize the brand of their online learning platform, ecommerce store, or video conference tool of choice, most consumers don’t notice the network of service providers that work in the background. A whole ecosystem of connected businesses and platforms that collect, store, and transfer data and software, all governed by a new set of international privacy rules and contractual commitments. Yet, many of these rules have not been tested in the courts, and they have several implications in the context of privacy.

The Privacy Conundrum

This month marks the three-year anniversary of the EU’s General Data Protection Regulation (GDPR). As expected, its consequences have been far-reaching, and fines for violations have been staggeringly high.

The GDPR requires companies in charge of personal data (“data controllers”) to enter into data processing agreements with their service providers (or “data processors”), including, at times, standard data protection clauses drafted by the EU Commission. These data processing mega-contracts (ranging from 1-100+ pages) impose a series of foreign data protection and security obligations on the parties.

A unique challenge presented by these contracts is the fact that such data processing agreements and model data protection clauses often include their own choice of law provisions, calling for the applicability of EU member state law, and requiring the parties to grant third-party beneficiary rights to individuals in a wholly different country.

This challenge is not just limited to parties contracting with EU companies, either. Due to the GDPR’s extraterritorial scope, two U.S.-based companies can enter into a contract subject to the laws of the State of California, but which includes a data processing addendum or security schedule that is subject to the laws of the United Kingdom, France, or Germany.

What happens if there is a dispute between these parties regarding their rights and responsibilities, which are subject to foreign data protection laws? How will U.S. courts treat these disputes? How much deference will—and should—a U.S. court provide to foreign interpretations of law?

Continue Reading Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?
Map of the United States - State Privacy Laws

State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow

Image Credit: Free-Photos from Pixabay.

Hard on the heels of the California Consumer Privacy Act of 2018 (CCPA) and updated state privacy laws in Nevada and Maine which took effect in 2019, state data privacy legislation is still on the rise.

In November of 2020, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), further amending the CCPA. The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.

Most recently, the Virginia Governor signed the Consumer Data Protection Act into law, thereby making Virginia yet another U.S. state with a comprehensive state privacy law. 

As momentum builds for state privacy laws, 2021 could be the year that privacy laws gain footing across the country, helping Americans exercise control over their digital lives.

Washington’s Privacy Act 2021, SB 5062
**Update: The WPA did not pass the House by the April 11 deadline. On April 12, however, Senator Carlyle tweeted that the “bill remains alive through the end of the session.” The legislature will close on April 25.

*** Update 4/26: The WPA did not pass for the third year in a row, due to the late introduction of a limited private right of action (for injunctive relief). Jump to the bottom of the page for links to other pending state legislation.

The most notable – due to its furthest progression in state legislation – is the current draft of the Washington Privacy Act 2021 (“WPA”). This draft bill is the third version of the act introduced by Washington state Sen. Reuven Carlyle (D-Seattle) in as many years.


The WPA would apply to legal entities that:

Continue Reading State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow
Privacy nutrition label

Opt-Out Icons and Apple Privacy Labels: The Visual Privacy Policy

Image Credit: FDA Nutrition Label, modified by Metaverse Law

The growing frequency and severity of privacy incidents within the past decade—the Facebook-Cambridge Analytica data scandal and Equifax data breach, to name just a few—has made consumer privacy a topic of public attention and concern.

In response to consumers’ increased wariness regarding their private data, some companies are trying to use privacy labels and icons to signal a commitment to privacy protection. The ultimate goal is to make privacy more accessible, transparent, and understandable.

This article reviews the history and current trends around privacy icons and labels.

Privacy Visuals Part I: Icons

In 2010, the Digital Advertising Alliance (DAA) rolled out its “YourAdChoices” icon – a clickable blue triangular icon found on ads. This was one of the first privacy icons available. The DAA developed this icon in response to speculated federal regulation in the advertising industry.

Digital Advertising Alliance (DAA) YourAdChoices icon, appears as blue outlined triangle with inset letter 'i'
YourAdChoices icon. Image taken from

To address Congressional inquiries into consumer privacy (and any possible resulting legislative efforts), the DAA formed a self-regulatory program with a set of privacy principles for participating companies and developed the YourAdChoices icon. Participating companies can voluntarily elect to place this symbol on their advertisements. By its nature, the DAA self-regulatory program and use of the YourAdChoices icon is not enforced by law. However, the DAA enforces the program by offering a consumer complaint process, public investigation procedure, and if necessary, escalation to a government agency, which happened in the case of SunTrust Bank in 2014.

Typically, the YourAdChoices icon is placed on cross-context behavioral ads—that is, ads targeted to consumers based on a profile of that consumer’s characteristics, preferences, and internet activity. If a browsing consumer views an ad that was targeted to them, they can click the YourAdChoices icon next to the ad to control whether ads should be personalized to them while browsing and to learn why that certain ad was displayed to them.

When the California Consumer Privacy Act (CCPA) came into effect in 2020, it created new privacy requirements for over 500,000 business nationwide . One of the requirements is to prominently display a “Do Not Sell My Personal Information” link on a business’ homepage, if a business is subject to CCPA, and “sells” or discloses a consumer’s personal information for valuable consideration. If a consumer submits a request through the link, the business must allow consumers to opt-out of the sale of that consumer’s personal information.

In response to this new requirement, the DAA designed a green version of the YourAdChoices icon for CCPA use. This is called the Privacy Rights Icon.

Digital Advertising Alliance (DAA) Privacy Rights icon, appears as green outlined triangle with inset letter 'i'
Privacy Rights icon. Image taken from

When implemented correctly by participating companies, the green Privacy Rights icon brings consumers to, a website set up by the DAA to help centralize and facilitate “Do Not Sell” requests across all participating companies.

While the two DAA icons above are forms of industry self-regulation, the California Office of the Attorney General (OAG) has also designed a “Do Not Sell” button to accompany the Do Not Sell link.

Continue Reading Opt-Out Icons and Apple Privacy Labels: The Visual Privacy Policy
Individuals behind a password screen.

The Importance of Data Privacy For Protecting Business and Client Information

If you own a business that demands you to understand what data privacy is and how it affects you, then now is the time for you to get informed. It has much to do with maintaining an acceptable level of trust between organizations and clients. Data privacy compliance has a framework involving a set of guidelines that require business institutions to integrate into their security system as per several state and federal laws on varying levels.

What Is Data Privacy? 

Data privacy is a general concept that governs the handling, storage, access, and preservation of sensitive information or data. It is also referred to as information security or information control. 

In technical terms, it is a system designed to govern the handling, processing, distribution, safety management, and ownership of valuable digital information. This information may include personal details, such as credit card numbers, financial transaction details, and other facts accessible through digital systems that privately belong to individuals or organizations.

Data safety protocols and processes are imposed by the privacy protection laws in different countries. These laws ensure the legality of the use of sensitive personal information and provide guidelines for proper handling, storage, and transmission of such information. This ensures that the benefits derived from the various programs implemented by the organizations are legit and are not being abused to serve selfish ends. The process of implementation varies from each country or region and thus, different laws are governing data privacy issues in different parts of the world. 

Data Security

Protecting Business and Client Information

Data security is the practice of protecting data and maintaining the privacy of information, which obligates an organization to secure data at its source or to ensure the privacy of data in transit and throughout its lifecycle. This practice protects confidential information whether it is transmitted over the internet or through private networks. It also governs how organizations can safeguard corporate assets against corruption and unauthorized access. These have become more important with the growth of sophisticated data encryption technologies, which have made the transmission of sensitive corporate information more secure.

There are certain conditions recognized by countries across the world and are enforced by each government. They include the responsibilities of service providers to take reasonable measures to ensure the confidentiality of communications and related data, protection against data leaks and interference, and protection against the abuse of personal information. Aside from these, several laws address the rights of businesses to protect their clients’ private information. These include the right to secure network systems, secure the confidentiality of information, and providing clients with the right to access and see the documents that have been sent to them.

Data Compliance

Data compliance ensures the correct practice of data privacy along with legal and governmental regulations. If organizations are not complying with the regulations stated by the federal or state government, then they are going to find themselves out of compliance, and the clients, customers, and employees might also be bound to some legal stipulations. 

Companies that fail to comply with the legal conditions of data privacy may be sanctioned, which may include fines or other penalties. There are many legal defenses available to business owners who are accused of not being able to guarantee the confidentiality of their data. For example, a business owner may use a server that is situated abroad to facilitate trade for his company. Similarly, a person who has concerns about how a product or service obtained by purchasing online could use data protection tools and safeguard his privacy.

Businesses need to stay abreast of any changes to data protection laws and the only way for a business to satisfy data compliance is to adhere to the latest privacy law of a particular state. 

Why Is Data Privacy Important?

For starters, data privacy equips an organization to responsibly handle and protect the information of an entity or individual. Therefore, it implies the accountability of the responsible party, whether the organization, government, or a private entity, to protect any information that may be related to all transactions from unauthorized use, mishandling, and/or disclosure. 

How Does One Understand and Appreciate The Need For Privacy? 

A company’s data privacy can be interpreted as the confidence towards the organization in communicating sensitive data or information to its customers and partners. As such, companies that want to be considered most trustworthy will have to be reliable enough and have the integrity to follow data privacy protocols. This way, consumers can be reassured that their data is taken care of while they are using the company’s services. Secondly, data privacy also has to do with keeping suppliers and other business operations well within the law by ensuring compliance with regulatory requirements.

Data Privacy For Businesses and Organizations

Importance of Data Privacy

A business or organization must establish certain rules governing the use of private data for marketing, product research, customer contact, and evaluation, etc. For instance, when these valuable data are stored in company computer systems, the company and its employees are bound to respect the privacy set by data protection laws and make it impossible for anyone to commit unethical and illegal breaches. 

Whether you are a business or a consumer, how do you ensure your data is protected? 

You can guarantee security for your data through a security program installed into the organization’s computer and network system. There are many companies providing data security services to keep private information private and safe and ensure that the protocols follow state or federal laws. An organization’s IT department should be able to maintain the data privacy protocols regularly. This will keep the system running as smoothly as possible without the constant imminent threat of a data breach. 


Data privacy compliance is highly necessary for organizations to avoid breaking the law or risking their businesses and their clients’ personal information. Users are advised to follow basic personal data protection like using passwords whenever they transfer personal information online and use safety protocols when using public networks. It is up to the user to implement data privacy into the system and follow professional data security advice.

Find out which privacy laws impact your business. Metaverse Law specializes in privacy, data protection, and cybersecurity law to assist startups and multinationals across the country in the high-tech, digital marketing, healthcare, and e-commerce industries with their privacy and data security obligations. Visit us here today to learn more!

Image of virginia state and shield. Virginia has a new data privacy law.

Virginia Governor Signs Comprehensive Data Privacy Law

Image Credit: Kjrstie from Pixabay.

Following hot on the footsteps of the California Privacy Rights Act, Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. Below, please see our comparison of the the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.

California Consumer Privacy Act
California Privacy Rights Act
Virginia Consumer Data Protection Act
Date of effectJanuary 1, 2020January 1, 2023January 1, 2023
Law applies toA “business” that meets at least one threshold below:
• Generates over $25M in annual gross revenue;
• Handles the records of at least 50,000 California consumers; or
• Generates over 50% in annual revenue from sales of consumer data
Same as CCPA, except the threshold for handling records of California consumers increases from 50,000 to 100,000.Applies to businesses that
• Handles the records of at least 100,000 Virginia consumers; or
• Handles the records of at least 25,000 Virginia consumers and derives over 50% in gross revenue from sales of consumer data

Definition of personal data
Any information that could be associated or linked with a particular consumer or household.Same as CCPA, except that there is a reasonableness element:
Any information that could be reasonably associated or linked with a particular consumer or household.
Limited to particular consumers.
“Any information that is linked or reasonably linkable to an identified or identifiable natural person”
Definition of sensitive personal dataDoes not define sensitive personal data.Defines sensitive personal data to include:
• Social security number
• Driver’s license
• Account log-in, debit,
or credit card number in combination with password or PIN
• Precise geolocation
• Racial/ethnic origins
• Religious or
philosophical beliefs
• Union membership
• Contents of e-mails or
texts to others
• Genetic/biometric
• Health information
• Sex life/sexual
orientation data
Defines sensitive personal data to include:
• Racial/ethnic origins
• Religious beliefs
• Mental or physical
health diagnosis
• Sexual orientation
• Citizenship/
immigration status
• Genetic/biometric
• Children’s data
• Precise geolocation
Consumer rights• Access
• Deletion
• Non-Discrimination
• Opt-out of:
o Sale of personal data
Same as CCPA, with the addition of rights to:
• Correct personal information
• Limit the use of
sensitive personal information
• Access
• Correction
• Deletion
• Port
• Opt-out of:
o Targeted advertising
o Sale of personal data
o Profiling in furtherance of decisions that produce legal effects
Data Privacy Impact AssessmentsNo requirement to conduct or document.No requirement to conduct or document.Controllers must conduct and document data protection assessments for the following activities:
• Targeted advertising
• Sale of personal data
• Profiling
• Sensitive data
• Catch-all: any data that presents a “heightened risk of harm to consumers.”
Data Protection AuthorityCalifornia Office of the Attorney General$10 million allocated per year to the California Privacy Protection Agency (CPPA).
Primary enforcement and rulemaking abilities shift from the California Attorney General to the CPPA.
Virginia Office of the Attorney General
Cure Provision30 days to cure upon written notice of a violation by the California Attorney General’s office.Ability to cure removed from CPRA.30 days to cure upon written notice of a violation by Virginia Attorney General’s office.
EnforcementAdministrative fines ranging from $2,500 per violation to $7,500 for intentional violations.Administrative fines of $7,500 now includes intentional violations and children’s data violations.Administrative fines of $7,500 per violation.
Private Right of ActionConsumers have a private right of action for the unauthorized disclosure of nonencrypted and nonredacted personal information.Same as CCPA.Consumers do NOT have a private right of action.
1 2 3 6